Researchers at Trend Micro uncovered a new form of attack exploiting vulnerabilities in a home router.

For the assault to function, a user must use their mobile device to access websites on which sits malicious JavaScript. At that point a second JavaScript will download with DNS changing routines. The infection chain is set in motion by the downloaded JS_JITON script which can infect a mobile device or a modem from several top manufacturers.

Top countries affected are Taiwan, Japan, China, the U.S. and France.

The Trend Micro team explained that the attackers use sophisticated techniques to evade detection, including regularly updating JavaScript codes to amend errors and switching home router targets. The researchers as well saw evidence of keylogging capabilities, but noted that function has since been removed.

They advised users to keep firmware and routers up to date with patches and avoid using default IDs and passwords.

Olsen said the firmware contains malicious iframes that redirect users to Brenz[dot]pl, a site that has been linked to malware distribution, according to an April 9 blog post.

The malicious site was shut down in 2009. However, in 2011 researchers at Sucuri spotted several sites being infected with iframes pointing to the malicious domain.

Olsen told SCMagazine.com via emailed comments although the website currently isn't spreading infections, it looked as though the threat actors could activate it at any point.

He discovered the kit contained malware while probing the system after its interface didn't show any of the normal controls or settings that were available but Olsen wasn't the first to notice a problem with the kit.

Last month, a Whirlpool enthusiast cautioned users in a forum that they came across a version of the camera's firmware which had malware embedded in the HTML pages.

After finding the malware, Olsen said he contacted Amazon who subsequently told him they would contact USG, however as of now neither vendor has taken action yet. The surveillance kit is still available for sale on Amazon.

It's unclear how the kits became infected but Olsen pointed out that the device wasn't delivered directly from China where the product is supposedly made.

Olsen said USG is denying the existence of the malware but nevertheless is offering a solution to "fix" the problem.

SCMagazine.com attempted to contact Amazon, Sony, and USG but has yet to receive comment.

Security researchers have warned that hundreds of popular extensions for the Firefox browser have exposed millions of users to hack attacks.
Researchers from the Northeastern University in Boston discovered a flaw that allows hackers to stealthily execute malicious code hiding behind a seemingly benign extension, such as NoScript and Firebug, and steal data.

The flaw is attributed to a weakness in Firefox’s extension structure, which fails to isolate various browser add-ons. This allows them to connect to the capabilities of other popular third-party extensions.

Hackers could exploit an extension reuse flaw by developing their own add-ons that hide malicious code and tap into the legitimate functions of popular extensions.
Connecting to other legitimate extensions allows hacker-developed add-ons to bypass Firefox’s security checks and extension vetting processes and gain access to a user's machine.

Extensions in the Firefox browser are handled with elevated user privileges, so the hidden malicious code can be used to steal passwords, private browsing data and system resources.

The more privileges a vulnerable extension has, the more scope a hacker has to gain access to data.

The flaw affects extensions with large user bases, such as DownloadHelper, which has over six million users, and NoScript, which has two million, indicating that the scope of the vulnerability is significant.

It is not clear whether the flaw has actually affected any users, as the researchers demonstrated it only as a proof-of-concept. They have supplied the attack framework to Mozilla so that the firm can improve the way it handles security in reviewing extension approvals.

The flaw is likely to be bypassed when Mozilla moves Firefox to its new WebExtensions model that isolates extensions. The company has given developers 18 months to migrate add-ons to the new model before the old extensions are purged.
Firefox is no stranger to dealing with threats and vulnerabilities, having suffered an attack that stole sensitive information from its Bugzilla account.

NEWS ANALYSIS: While the vast quantity of information revealed in the breach of the Mossack Fonseca law firm far exceeds the volume taken by Edward Snowden, the main question is how this could happen?

My first reaction after reading accounts about the breach of a vast trove of financial and related information from the Panamanian law firm Mossack Fonseca was to channel John Le Carré and his famed Panamanian tailor/spy Harry Pendel.

However, the reality is much less interesting. The story is actually about a company with third-rate security that gets exploited by a routine hack.

While the details of the attack on Mossack Fonseca haven't been fully revealed, and while there's a great deal of hay being made by newspapers reporting details about prominent people who have offshore financial accounts, the really important story is about what was'’t in the breach. And no, I'm not talking about the puzzling lack of involvement by Americans. What's clearly lacking is even the most basic attempt at protecting the firm's client data.

The firm’s founding partner, Ramon Fonseca, has revealed in an interview with Reuters that the attack that allowed hackers to make off with something over two terabytes of sensitive scans and images along with other information was an external hack. He said that this was not an inside job. That's a surprising confession made only a couple of days after the hack was discovered and after the contents of the firm's files were published far and wide in newspapers and on Websites.

So what really happened? Security experts I've talked to tell me that Mossack Fonseca was almost certainly the victim of a spear-phishing attack, with an email that released malware that opened up access to the firm's network. That would make Fonseca's statement correct, since it doesn't appear that an insider knowingly unleashed the malware or emailed the data to co-conspirators.

But here's where it gets tricky. Even if the attack came from outside, the information on who to target in the attack had to come from somewhere. The fact that the entire digital assets of the firm appear to have been laid bare would indicate that the target had to be someone very senior in the firm, or that the firm simply allowed any employee to look at anything on its servers. So where did the information on employees with privileged access come from?

The chances are very good that the critical information came from inside the firm, perhaps unwittingly. The names of some of the lawyers at the firm can be found on the company's Website with minimal effort. The names of the principals are public, but which of these people to attack? A list of partners with their email addresses could be all that was needed.

Well placed emails were all that was required to carry out the recent spate of CEO spear-phishing attacks that have recently struck companies of all sizes. A senior person at a company gets an email with a plausible request for information that seems to be from someone they know.

The executive provides the requested information and clicks. That's all it takes.
"It's very easy because a lot of companies don't have a lot of security awareness education programs on how to avoid being spear-phished," said Tyler Cohen Wood, a security advisor at Inspired eLearning.

Wood is a former Defense Intelligence Agency senior intelligence officer and cyber-deputy division chief, who has over 16 years working on security issues at the Department of Defense. She said that many breaches can be avoided with some fairly straightforward training in recognizing a spear-phishing attack.

Unfortunately, it doesn't really matter how access was gained because once inside the hackers had their way with the firm's data. Apparently none of it was segmented, none seemed to have access restricted to specific people, none of it was encrypted and apparently nobody was paying attention to the network traffic. How else can you explain how over two terabytes of data was exfiltrated from the company's network with no one noticing?

The theft of so much data could have been enabled by what Wood calls an "unintentional insider," which is someone who provides the critical information for penetrating a network without realizing that they are doing so. She said that such gaps in security can be reduced by appropriate training.

But much of the blame at the firm goes beyond just training employees. Like Target before its breach, apparently there was nothing to prevent someone who had access to the network from getting anywhere on the network they wanted, including some highly sensitive areas that contained the private information of clients.

Worse, there appears to have been nothing in the way of intrusion detection. How else can you explain the ability to move that much data out of a network without anyone noticing? Even if someone had walked into the law firm's office with a portable hard drive and started copying, the process would have taken hours or days. If the breach was done remotely as the firm claims, it could have taken weeks to siphon off all that data.

Regardless of how the perpetrators breached the network, the fact is that lax security practices at Mossack Fonseca must have played a role. Otherwise, even if hackers had managed to get in without assistance, they couldn't have downloaded so much data.

There are important lessons in the Mossack Fonseca breach, not the least of which is to pay more than lip service to security. Even if it's not possible to eliminate all breaches, it's still possible to limit the damage.

Hopefully the firm will take steps to lock things down. And hopefully when all those Icelandic, Russian and Chinese leaders go looking for a private place to shelter the proceeds of their graft, they'll check the service provider's security before they do anything else.

and adobe released some flash player patches which are always of the utmost importance if you allow flash advertisements to display on your browser

MS16-045 This one will be a major headache for those who run and host virtual machines on Hyper-V. A flaw in the hypervisor could allow a "guest" instance to access the host system and execute code, in addition to infecting the host system or accessing data from other hosted instances.
MS16-037 A cumulative update for Internet Explorer that addresses six flaws, including remote code execution vulnerabilities that can be exploited by loading a malicious web page.
MS16-038 A cumulative update for the Edge browser that, like the IE fix, patches six vulnerabilities, including remote code execution from malicious web pages.
MS16-039 A patch to address a remote code execution flaw present in Windows, .NET Framework, Office, Skype for Business, and Microsoft Lync. According to Microsoft, the vulnerability "could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts."
MS16-040 A single flaw in the XML Core Services component in Windows that allows an attacker to take control of a system by convincing the user to click a link "typically by way of an enticement in an email or Instant Messenger message."
MS16-041 A remote code execution bug in the .NET Framework that allows an attacker who already has access to the local system to install and execute a malicious application.
MS16-042 Four memory corruption vulnerabilities in Office that allow an attacker to remotely execute code by convincing the user to open a malicious Office file. One of the flaws also affects Office for Mac, meaning Apple users will need to patch their software as well.
MS16-044 A vulnerability in Windows OLE that allows an attacker to remotely execute code by convincing the target to open "either a specially crafted file or a program from either a webpage or an email message."
MS16-046 A flaw in the Windows Secondary Logon that allows an attacker to elevate their user privilege level to Administrator.
MS16-047 A "man in the middle" flaw in the Windows Security Account Manager and Local Security Authority Domain components that allows an attacker with access to network traffic the ability to downgrade security controls and then impersonate the user – aka the Badlock bug.
MS16-048 A vulnerability in Windows CSRSS that potentially allows an attacker to bypass security credentials and gain administrator access by exploiting a flaw in the way CSRSS handles memory tokens.
MS16-049 A denial of service vulnerability in Windows that allows an attacker to freeze a targeted machine just by sending a malicious HTTP packet.
MS16-050 A cumulative update for Flash Player addressing a total of 10 security bugs, including remote code execution flaws.

A nasty piece of ransomware that took crypto-extortion to new heights contains a fatal weakness that allows victims to decrypt their data without paying the hefty ransom.

When it came to light two weeks ago, Petya was notable because it targeted a victim's entire startup drive by rendering its master boot record inoperable. It accomplished this by encrypting the master boot file and displaying a ransom note. As a result, without the decryption password, the infected computer wouldn't boot up, and all files on the startup disk were inaccessible. A master boot record is a special type of boot sector at the very beginning of partitioned hard drive, while a master boot file is a file on NTFS volumes that contains the name, size and location of all other files.

Petya performs fake CHKDSK, and instead encrypts the master file table on disk.
Now, someone who goes by the Twitter handle @leostone has devised a tool that generates the password Petya requires to decrypt the master boot file. To use the password generator, victims must remove the startup drive from the infected computer and connect it to a separate Windows computer that's not infected. The victim then extracts data from the hard drive, specifically (1) the base-64-encoded 512 bytes starting at sector 55 (0x37h) with an offset of 0 and (2) the 64-bit-encoded 8-byte nonce from sector 54 (0x36) offset 33 (0x21). By inputting the data into this Web app created by @leostone, the victim can retrieve the password Petya used to decrypt the crucial file.

Obtaining the hard drive data the Web app needs to derive the password isn't a straight-forward undertaking for many. Fortunately, a separate researcher has developed a free tool called the Petya Sector Extractor that obtains the data in seconds. The app must be run on the computer that's connected to the infected hard drive.

Bleeping Computer, a reputable self-help computer forum, reports that the technique works as billed and provides this step-by-step tutorial that walks people through the entire process. As Ars reported two weeks ago, a technical analysis written in German had already noted that the "encryption" used by Petya in its first phase is a simple fixed-value XOR of the Master Boot Record. That observation likely planted the seeds for the tools that were only recently made available.

The ease of retrieving the password is yet another reminder of the oft-repeated maxim that crypto is hard—both for good and bad guys alike. The task can be particularly difficult when deriving and storing a password on a computer that's accessible to the adversary. But difficult and impossible aren't the same thing. It wouldn't be surprising if the Petya developers fix this weakness in a future version. Once that happens, the newly developed tools will no longer work.

Chrome Safe Browsing Now Warns Against Fake 'Download' Buttons And Other Deceptive Ads

Michael Crider
14 hours ago

You know those fake "download" buttons you see when you're searching for old Super NES ROMs completely legitimate open-source software? The kind that advertising networks sometimes spit out even on otherwise above-board sites? Yeah, they're awful, and they often link directly to copycat or malicious files. Google hates them as much as you do, and is taking steps to make them less effective. Starting today, Chrome browsers on all platforms will warn visitors to sites with potentially misleading or fake "download" ads.

The new system is an extension of Safe Browsing, that big red web stop sign that sometimes warns you of possible malware, phishing, or legitimate sites that have been compromised. Safe Browsing is used by approximately a billion web users, at least according to Google, so implementing this warning system could have some very wide-reaching effects. We could be so bold as to hope that the jerks who make these fake download ads might try something else, like jumping off the nearest cliff.

The new changes will also apply to those fake "error" or "virus found!" ads and all manner of deceptive social engineering. The addition to the Safe Browsing warnings won't actually block said ads, so you'll still have to be wary on those few occasions when you visit download sites that are less than scrupulous... which you should be doing anyway.

If you're running Windows, you should probably uninstall QuickTime before you get yelled at by your tech friend — or the U.S. government.

On Thursday, the U.S. Department of Homeland Security recommended Windows users uninstall QuickTime to avoid cyberattacks.

That's because Apple is no longer providing security updates for the video player on Windows, according to the security site Trend Micro. The site flagged vulnerabilities in the software. And without updates, those security issues aren't going anywhere.

Uninstalling QuickTime shouldn't be too much of an inconvenience. As Wired points out, there are plenty of other options for Windows users — which could be one of the reasons Apple might be abandoning the video player for Windows.

Before you panic, there aren't known active attacks, and the warning does not apply to Mac users.

Windows users are left stranded and vulnerable from "true" zero-day vulnerabilities, exploits for which there is no patch and none coming either.

Typically, software vendors provide users with some public direction or announcement on when a product will no longer be supported and reaches its end of life. Apparently, that didn't happen with Apple's QuickTime media player for Windows, which is now at risk from a pair of zero-day vulnerabilities that will not be patched.
The Zero Day Initiative (ZDI), which is owned by security vendor Trend Micro, issued a pair of security advisories on April 14 warning of zero-day vulnerabilities in Apple's QuickTime for Windows.
"The vendor has 120 days from notification until we release our advisory," Christopher Budd, global threat communications manager at Trend Micro, told eWEEK. "They can petition for an extension, which will be evaluated on a case-by-case basis."
Source Incite security researcher Steven Seeley reported the two Apple QuickTime vulnerabilities to ZDI. ZDI, which became part of Trend Micro by way of a $300 million acquisition of TippingPoint from Hewlett Packard Enterprise, is in the business of buying vulnerabilities from security researchers and then responsibly disclosing them to vendors so they can be patched. ZDI is not publicly disclosing what it paid Seeley for the vulnerabilities.
According to the ZDI's disclosure timeline, it reported the two QuickTime for Windows vulnerabilities to Apple on Nov. 11, 2015, and Apple acknowledged that it received the vulnerability reports the same day. On March 9, 2016, ZDI was on a call with Apple, where it was informed that QuickTime for Windows was going to be deprecated. At that point, ZDI noted that it warned Apple that the two flaws would be considered zero-days.
Both the ZDI-16-241 and ZDI-16-242 flaws in Apple's QuickTime for Windows are memory heap corruption remote code execution vulnerabilities. "Both vulnerabilities can be exploited by malicious Web pages that the user would have to navigate to," Budd said.
The two issues are specific to Apple's QuickTime on Windows and do not impact QuickTime on the OS X operating system.
The only public response Apple has provided to date for the QuickTime issue is a link to a support page providing uninstall instructions.
"Websites increasingly use the HTML5 web standard for a better video-playback experience across a wide range of browsers and devices, without additional software or plug-ins," Apple stated. "Removing legacy browser plug-ins enhances the security of your PC."
The fact that Apple didn't provide notice for ending support of QuickTime for Windows ahead of ZDI's vulnerability report wasn't necessary a surprise for Budd and Trend Micro.
"I wouldn't say we were surprised, but there is no public timeline for support ending for QuickTime like you have with Microsoft and their products or Oracle with theirs," Budd said.
Going a step further, while ZDI has now publicly disclosed two flaws in Apple's QuickTime for Windows, there could well be additional security vulnerabilities in the software that haven't yet passed ZDI's 120-day disclosure policy.
"We make a list of upcoming advisories available here: http://www.zerodayinitiative.com/advisories/upcoming/," Budd said. "To protect everyone, we don't go into any more detail than is provided there."

A new ransomware named Jigsaw, inspired by the eponymous character in the Saw horror film franchise, subjects its victims to a countdown clock, deleting files every hour at an escalating rate until a $150 ransom is paid. According to a Bleeping Computer security alert, it's the first time a ransomware has followed through on its threat to not only encrypt, but actually erase content.

The ransomware, whose threat note features an image of the Jigsaw killer's mask, is booby trapped to delete a thousand files at once from a computer if the user attempts to reboot or terminate the process.

Fortunately, there is an escape for Jigsaw's victims: a collective of researchers, including Bleeping Computerowner Lawrence Abrams, researcher Michael Gillespie and the MalwareHunterTeam found a way to neutralize the ransomware with a decryptor program.

Spy agencies like the NSA and many others aren’t the only ones able to bug your calls and text messages, a new investigation shows. It turns out that anyone with the right equipment and know-how can tap into a carrier’s phone network to access calls and text messages for without the target’s knowledge.

The news comes from Australia’s 60 Minutes, which spoke to security researchers who have proven that an SS7 inter-carrier network security flaw lets individuals track your cell phone anywhere in the world, and it can also be used to gain access to phone calls and text messages.

Anyone with access to a carrier’s phone network would be able to intercept phone calls and text messages, record them, and reroute them to their original destinations, without the cell phone user knowing what’s happening.

The key takeaway from the report is that you need to get access to the SS7 portals in order to actually take advantage of the bug, which might be a tough job for regular people. SS7 portals route calls between mobile operators, allowing phones to roam from one country to another.

In the wrong hands, access to an SS7 portal can be abused so that hackers or spy agencies can collect data from a target, including login credentials. The service can also be used to reroute calls to premium numbers that generate income for hackers, or block a person from dialing certain numbers.

60 Minutes also reports that some providers may offer SS7 access illicitly to third parties include spy agencies. The report cited one company that claimed to pay $16,000 per month for online access to SS7 tracking.

The SS7 vulnerability can be patched, according to the report, but some countries might not be necessarily interested in fixing the issue. This way, local spy agencies can continue various surveillance operations that take advantage of the flaw.

Three local Australian carriers, including Telstra, Optus and Vodafone, have all said in statements users’ privacy and security is very important to them, effectively denying any knowledge about SS7 hacks happening on their watch in the region.

NoScript and other popular Firefox add-ons open millions to new attack
Unlike many browsers, Firefox doesn't always isolate an add-on’s functions.

by Dan Goodin - Apr 6, 2016 1:02am AST

NoScript, Firebug, and other popular Firefox add-on extensions are opening millions of end users to a new type of attack that can surreptitiously execute malicious code and steal sensitive data, a team of researchers reported.

The attack is made possible by a lack of isolation in Firefox among various add-ons installed by an end user. The underlying weakness has been described as an extension reuse vulnerability because it allows an attacker-developed add-on to conceal its malicious behavior by invoking the capabilities of other add-ons. Instead of directly causing a computer to visit a booby-trapped website or download malicious files, the add-on exploits vulnerabilities in popular third-party add-ons that allow the same nefarious actions to be carried out. Nine of the top 10 most popular Firefox add-ons contain exploitable vulnerabilities. By piggybacking off the capabilities of trusted third-party add-ons, the malicious add-on faces much better odds of not being detected.

"These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputy-style attacks," the researchers wrote in a paper that was presented last week at the Black Hat security conference in Singapore. "Malicious extensions that utilize this technique would be significantly more difficult to detect by current static or dynamic analysis techniques, or extension vetting procedures."

Of the top 10 most popular add-ons vetted by Mozilla officials and made available on the Mozilla website, only Adblock Plus was found to contain no flaws that could be exploited by a malicious add-on that relied on reuse vulnerabilities. Besides NoScript, Video DownloadHelper, Firebug, Greasemonkey, and FlashGot Mass Down all contained bugs that made it possible for the malicious add-on to execute malicious code. Many of those apps, and many others analyzed in the study, also made it possible to steal browser cookies, control or access a computer's file system, or to open webpages to sites of an attacker's choosing.

The researchers noted that attackers must clear several hurdles for their malicious add-on to succeed. First, someone must go through the trouble of installing the trojanized extension. Second, the computer that downloads it must have enough vulnerable third-party add-ons installed to achieve the attackers' objective. Still, the abundance of vulnerable add-ons makes the odds favor attackers, at least in many scenarios.

In many cases, a single add-on contains all the functionality an attacker add-on needs to cause a computer to open a malicious website. In other cases, the attacker add-on could exploit one third-party add-on to download a malicious file and exploit a second third-party add-on to execute it. In the event that a targeted computer isn't running any third-party add-ons that can be exploited, the attacker-developed add-on can be programmed to provide what's known as a "soft fail" so that the end user has no way of detected an attempted exploit. Here's a diagram showing how the new class of attack works.

"We note that while it is possible to combine multiple extension-reuse vulnerabilities in this way to craft complex attacks, it is often sufficient to use a single vulnerability to successfully launch damaging attacks, making this attack practical even when a very small number of extensions are installed on a system," the researchers wrote. "For example, an attacker can simply redirect a user that visits a certain URL to a phishing website or automatically load a web page containing a drive-by-download exploit."

Proof of concept

The researchers said they developed an add-on containing about 50 lines of code that passed both Mozilla's automated analysis and its full review process. Ostensibly, ValidateThisWebsite—as the add-on was called—analyzed the HTML code of a given website to determine if it was compliant with current standards. Behind the scenes, the add-on made a cross-extension call to NoScript that caused Firefox to open a Web address of the researchers' choosing.

The vulnerability is the result of a lack of add-on isolation in the Firefox extension architecture. By design, Firefox allows all JavaScript extensions installed on a system to share the same JavaScript namespace, which is a digital container of specific identifiers, functions, methods, and other programming features used in a particular set of code. The shared namespace makes it possible for extensions to read from and write to global variables defined by other add-ons, to call or override other global functions, and to modify instantiated objects. The researchers said that a newer form of Firefox extension built on the alternative JetPack foundation theoretically provides the isolation needed to prevent cross-extension calls. In practice, however, JetPack extensions often contain enough non-isolated legacy code to make them vulnerable.

In an e-mail, Firefox's vice president of product issued the following statement:

The way add-ons are implemented in Firefox today allows for the scenario hypothesized and presented at Black Hat Asia. The method described relies on a popular add-on that is vulnerable to be installed, and then for the add-on that takes advantage of that vulnerability to also be installed.

Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative—our project to introduce multi-process architecture to Firefox later this year—we will start to sandbox Firefox extensions so that they cannot share code.

In the meantime, the researchers said Firefox users would benefit from improvements made to the screening process designed to detect malicious add-ons when they're submitted. To that end, they have developed an application they called CrossFire that automates the process of finding cross-extension vulnerabilities. In their paper, they proposed that it or a similar app be incorporated into the screening process.

"Naturally, we do not intend our work to be interpreted as an attack on the efforts of Firefox's cadre of extension vetters, who have an important and difficult job," the researchers wrote. "However, since the vetting process is the fundamental defense against malicious extensions in the Firefox ecosystem, we believe it is imperative that (i) extension vetters be made aware of the dangers posed by extension-reuse vulnerabilities, and that (ii) tool support be made available to vetters to supplement the manual analyses and testing they perform."

Car theft in the UK has been reduced by 90% in the last 20 years, car crime now being organised rather than random due to the preventative systems that have been put in place, yet manufacturers are rushing to embrace technology that leaves car security wide open to abuse and even simpler to circumvent than 20 years ago.

Go figure.

Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming "Wow! What a Ride!"

The threat posed by Rowhammer is probably at least a few years away from being practical. Still, given recent findings that the bug extends to DDR4 memory, not just DDR3 as previously believed, there's reason for measured concern. Unlike most vulnerabilities, Rowhammer is a physical defect that resides in the hardware itself, so it may not be as easy to fix. While manufacturers are working on measures to prevent Rowhammer attacks, it's important for them to keep abreast of the latest research to make sure the defenses can't be bypassed by new techniques.